b"Audit Report\n\n\n\n\nOIG-10-016\nManagement Letter for Fiscal Year 2009 Audit of the Office of\nD.C. Pensions\xe2\x80\x99 Financial Statements\n\nDecember 7, 2009\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                             December 7, 2009\n\n\n            MEMORANDUM FOR NANCY OSTROWSKI, DIRECTOR\n                           OFFICE OF THE D.C. PENSIONS\n\n            FROM:                 Michael Fitzgerald\n                                  Director, Financial Audits\n\n            SUBJECT:              Management Letter for Fiscal Year 2009 Audit of the\n                                  Office of D.C. Pensions\xe2\x80\x99 Financial Statements\n\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Office of D.C. Pensions\xe2\x80\x99 (ODCP) Fiscal Year 2009 financial statements.\n            Under a contract monitored by the Office of Inspector General, KPMG LLP, an\n            independent certified public accounting firm, performed an audit of the financial\n            statements of ODCP as of September 30, 2009, and for the year then ended. The\n            contract required that the audit be performed in accordance with generally\n            accepted government auditing standards; applicable provisions of Office of\n            Management and Budget Bulletin No. 07-04, Audit Requirements for Federal\n            Financial Statements, as amended; and the GAO/PCIE Financial Audit Manual.\n\n            As part of its audit, KPMG LLP issued and is responsible for the accompanying\n            management letter that discusses other matters involving internal control over\n            financial reporting and its operations that were identified during the audit but were\n            not required to be included in the auditors\xe2\x80\x99 reports.\n\n            In connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where KPMG LLP did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\n            Should you have any questions, please contact me at (202) 927-5789 or a member\n            of your staff may contact Shiela Michel, Manager, Financial Audits, at\n            (202) 927-5407.\n\n            Attachment\n\x0c                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036\n\n\n\n\nNovember 13, 2009\n\n\nInspector General, U.S. Department of the Treasury, and\nDirector, Office of D.C. Pensions:\n\nWe have audited the consolidated financial statements of the U.S. Department of the Treasury\xe2\x80\x99s Office of\nD.C. Pensions (the ODCP), for the year ended September 30, 2009, and have issued our report thereon\ndated November 13, 2009. In planning and performing our audit of the consolidated financial statements of\nthe ODCP, in accordance with auditing standards generally accepted in the United States of America; the\nstandards applicable to financial audits contained in Government Auditing Standards, issued by the\nComptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 07-\n04, Audit Requirements for Federal Financial Statements, as amended, we considered the ODCP\xe2\x80\x99s internal\ncontrol over financial reporting (internal control) as a basis for designing our auditing procedures for the\npurpose of expressing our opinion on the consolidated financial statements but not for the purpose of\nexpressing an opinion on the effectiveness of the ODCP\xe2\x80\x99s internal control. Accordingly, we do not express\nan opinion on the effectiveness of the ODCP\xe2\x80\x99s internal control.\nDuring our audit we noted certain matters involving internal control and other operational matters that are\npresented for your consideration. These findings and recommendations, all of which have been discussed\nwith the appropriate members of management, are intended to improve internal control or result in other\noperating efficiencies and are summarized in Appendix A to this report.\nOur audit procedures are designed primarily to enable us to form an opinion on the consolidated financial\nstatements, and therefore may not bring to light all deficiencies in policies or procedures that may exist.\nWe aim, however, to use our knowledge of the ODCP\xe2\x80\x99s organization gained during our work to make\ncomments and suggestions that we hope will be useful to you. The ODCP\xe2\x80\x99s responses to our findings and\nrecommendations are included in Exhibit A. We did not audit the ODCP\xe2\x80\x99s responses and, accordingly, we\nexpress no opinion on them.\nThis communication is intended solely for the information and use of the ODCP\xe2\x80\x99s management, the U.S.\nDepartment of the Treasury\xe2\x80\x99s Office of Inspector General, OMB, the U.S. Government Accountability\nOffice, and the U.S. Congress, and is not intended to be and should not be used by anyone other than these\nspecified parties.\nVery truly yours,\n\n\n\n\n                                KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                member firm of KPMG International, a Swiss cooperative.\n\x0c                                                                                Appendix A\n\n\n\n\n                       FINDINGS AND RECOMMENDATIONS\n\n\n2009-01        Continue to Improve Controls Over New Annuitant Payment Processing\n\nDuring our testing of a sample of 69 new annuitant benefit payments processed by the\nDistrict of Columbia Retirement Board (DCRB) for the Police, Firefighters, and Teachers\nretirement plans, we noted three instances where the DCRB 2nd review failed to identify\nerrors made by the DCRB analysts processing the claims, resulting in the following\nexceptions:\n\n      1) For one sample item tested, the DCRB analyst incorrectly excluded the new\n      annuitant\xe2\x80\x99s health benefit deduction when calculating the beneficiary payment,\n      which resulted in a one-time overpayment to the beneficiary in the amount of\n      $134.66.\n\n      2) For one sample item tested, the DCRB analyst mis-applied the cost of living\n      adjustment (COLA) resulting in a survivor of an annuitant being over-paid a total\n      of $4,076.85, which affected 7 months of benefit payments.\n\n      3) For one sample item tested, the DCRB analyst processing the new annuitant\n      incorrectly prorated the first payment resulting in a one-time overpayment in the\n      amount of $1,072.81.\n\nThe Memorandum of Understanding (MOU) between ODCP and DCRB \xe2\x80\x93 Considering\nInterim Benefit Administration of Retirement Plan dated December 31, 2008, specifies\nthe obligations of the DCRB, MOU section 3.1.3(d) requires DCRB to enforce all terms\nof the District Retirement Programs and the Replacement Plan to ensure accurate\npayments of Federal Benefit Payments and District Payments.\n\nOMB Circular No. A-123, Management\xe2\x80\x99s Responsibility for Internal Control, in the\nintroduction section notes the requirements of the Federal Managers\xe2\x80\x99 Financial Integrity\nAct (FMFIA) of 1982: \xe2\x80\x9cThe agency head must establish controls that reasonably ensure\nthat \xe2\x80\xa6iii. Revenues and expenditures applicable to agency operations are properly\nrecorded and accounted for to permit the preparation of accounts and reliable financial\nand statistical reports and to maintain accountability over the assets.\xe2\x80\x9d\n\nIn addition, U.S. Government Accountability Office\xe2\x80\x99s (GAO) Standards for Internal\nControl in the Federal Government (GAO/AIMD-00-21.3.1) (the Standards) states:\n\xe2\x80\x9cControl activities occur at all levels and functions of the entity. They include a wide\nrange of diverse activities such as approvals, authorizations, verifications, reconciliations,\nperformance reviews, maintenance of security, and the creation and maintenance of\nrelated records which provide evidence of execution of these activities as well as\n\n\n\n                                            A-1\n\x0c                                                                Appendix A, continued\n\n\n\n\nappropriate documentation. Control activities may be applied in a computerized\ninformation system environment or through manual processes.\xe2\x80\x9d\n\nThe Standards also provides examples of control activities, which include \xe2\x80\x9creviews by\nmanagement at the functional or activity level.\xe2\x80\x9d\n\nThe three exceptions discussed above were a result of the DCRB analyst inputting\nincorrect information in the benefit payment calculation and the 2nd reviewer not\nidentifying the input error.\n\nIf incorrect information is input into System to Administer Retirement (STAR) and not\ndiscovered by the 2nd reviewer, new annuitants may not be paid the proper amounts and\nbenefit payments and the related benefit expense could be misstated in the ODCP\nfinancial statements. In addition, ODCP\xe2\x80\x99s actuarial calculations are based off the\ndemographic information in STAR. If the demographic information in STAR is\ninaccurate then the actuarial calculations based upon the demographic information in\nSTAR could be inaccurate.\n\nRecommendations\n\nWe recommend that the ODCP: (1) continue training the DCRB 2nd reviewers so they\nfully understand their role and responsibilities of performing the 2nd review of the\nbenefit payment calculation; and (2) create a beneficiary checklist that will help the\nreviewer focus his attention on areas that have a higher degree of miscalculating the\nbenefit payment.\n\nManagement Response\n\nManagement concurs with the findings and recommendations. As a result of these\nfindings, DCRB quickly corrected the benefit payments for the three exceptions noted\nabove and communicated the changes in the payment amounts to the retirement benefits\nrecipients. ODCP plans to increase focus on benefit processing for beneficiaries in\nFY2010 by providing additional training to analysts and second level reviewers and\ncreating a checklist to assist analysts in processing cases for beneficiaries.\n\n2009-2        Improve Controls Over the Processing of Back Payments During the\n              Annuitant Reinstatement Process\n\nDuring our testing of 15 off cycle benefit payments processed by the DCRB for the\nPolice, Firefighters, and Teachers retirement plans, we noted the following breakdown in\ninternal controls over the processing of back payments during the annuitant reinstatement\nprocess:\n\n\n\n\n                                          A-2\n\x0c                                                                    Appendix A, continued\n\n\n\n\nDCRB initiated a transaction to terminate payments in STAR effective March 1, 2006,\nfor an annuitant who was not cashing their annuitant payments. Shortly before, the ODCP\nhad placed a stop payment on 14 monthly annuitant checks issued to this annuitant that\nhad not been cashed relating to the months of August 2005 through March 2006, and\nMay through October 2004. After DCRB obtained the Verification of Receipt of\nAnnuitant Payment letter from the annuitant on January 27, 2009, an initial back payment\nwas issued to the annuitant related to the period from March 1, 2006 through March 2,\n2009. However, no payment was made to the annuitant for the 14 stale-dated checks.\nAfter we brought this issue to the attention of the ODCP and DCRB, an off-cycle\npayment in the amount of $47,032 was processed by DCRB for this annuitant on August\n25, 2009. Upon further investigation it was discovered that the off cycle payment of\n$47,032 incorrectly included 2 months of re-issued checks resulting in an overpayment to\nthe annuitant of $5,774. DCRB is in the process of issuing an Overpayment of Annuity\nLetter to the annuitant to reclaim the overpaid amount.\n\nThe Memorandum of Understanding (MOU) between ODCP and DCRB \xe2\x80\x93 Considering\nInterim Benefit Administration of Retirement Plan dated December 31, 2008, specifies\nthe obligations of the DC Retirement Board, MOU section 3.1.3(d) requires DCRB to\nenforce all terms of the District Retirement Programs and the Replacement Plan to ensure\naccurate payments of Federal Benefit Payments and District Payments.\n\nOMB Circular No. A-123, Management\xe2\x80\x99s Responsibility for Internal Control, in the\nintroduction section notes the requirements of the Federal Managers\xe2\x80\x99 Financial Integrity\nAct (FMFIA) of 1982: \xe2\x80\x9cThe agency head must establish controls that reasonably ensure\nthat \xe2\x80\xa6iii. Revenues and expenditures applicable to agency operations are properly\nrecorded and accounted for to permit the preparation of accounts and reliable financial\nand statistical reports and to maintain accountability over the assets.\xe2\x80\x9d\n\nIn addition, U.S. Government Accountability Office\xe2\x80\x99s (GAO) Standards for Internal\nControl in the Federal Government (GAO/AIMD-00-21.3.1) (the Standards) states:\n\xe2\x80\x9cControl activities occur at all levels and functions of the entity. They include a wide\nrange of diverse activities such as approvals, authorizations, verifications, reconciliations,\nperformance reviews, maintenance of security, and the creation and maintenance of\nrelated records which provide evidence of execution of these activities as well as\nappropriate documentation. Control activities may be applied in a computerized\ninformation system environment or through manual processes.\xe2\x80\x9d\n\nThe Standards also provides examples of control activities, which include \xe2\x80\x9creviews by\nmanagement at the functional or activity level.\xe2\x80\x9d\n\nThese errors were a result of ineffective review over the processing of back payments\nduring the annuitant reinstatement process.\n\n\n\n\n                                            A-3\n\x0c                                                                     Appendix A, continued\n\n\n\n\nIf the payment related to the reinstatement of annuitants is not done timely and if\npayments for the replacement of stale dated checks is incorrect, then benefit payments\nand the related benefit expense could be misstated, which can result in misstatements in\nODCP\xe2\x80\x99s financial statements and annuitants not receiving the correct benefit payment\namounts.\n\nRecommendation\nWe recommend that the ODCP improve internal controls over the processing of back\npayments during the annuitant reinstatement process to ensure that the correct back\npayments are issued to annuitants. Specifically; 1) staff should be trained on the\nprocessing and review of reinstated annuitants, and 2) ODCP\xe2\x80\x99s monthly quality review\nshould include the off-cycle payment population.\n\nManagement Response\n\nManagement concurs with the finding and recommendations. As a result of this finding,\nBureau of Public Debt (BPD) quickly communicated with the annuitant to notify her of\nthe overpayment and took initial steps to collect the overpayment. ODCP also worked\nwith DCRB and BPD to review and update procedures for annuitant reinstatements to\nensure annuitants receive the correct payments timely. ODCP plans to expand its quality\nreview program to include off-cycle payments to ensure these payments are being\nprocessed correctly.\n\n2009-3         Improve Controls Over Developer Access to the STAR Production\n               Server\n\nDuring our review of STAR access rights, we identified one developer who had access to\nthe Windows 2003 production web server that supports the STAR application. We were\nable to review information that showed that the account was disabled, but enabled on\nJune 30, 2009 and disabled/removed on August 13, 2009.\n\nOffice of Management and Budget (OMB) Circular A-130, Appendix III, Security of\nFederal Automated Information Resources, states that, \xe2\x80\x9cLeast privilege is the practice of\nrestricting a user's access (to data files, to processing capability, or to peripherals) or type\nof access (read, write, execute, delete) to the minimum necessary to perform his or her\njob.\xe2\x80\x9d\n\nOMB Circular A-130, Appendix III also states, \xe2\x80\x9cIncorporate controls such as separation\nof duties, least privilege, and individual accountability into the application and\napplication rules as appropriate.\xe2\x80\x9d\n\nBased on discussions with management, while troubleshooting an access issue with a\nSTAR subsystem related to but not directly connected with STAR, a BPD Office of IT\nSystem Administrator inadvertently enabled a developer's account on the wrong web\n\n\n                                             A-4\n\x0c                                                                  Appendix A, continued\n\n\n\n\nserver. When this access was discovered in August, this account (along with other\ndeveloper accounts that had not been enabled) was deleted on August 13, 2009.\n\nProviding developers with access to the production environment results in a lack of\nsegregation of duties which increases the risk for program changes to be introduced into\nthe production environment without proper authorization.\n\nRecommendation\nKPMG recommends ODCP delete disabled users or require the disabled user to go\nthrough the appropriate levels of approval before the user account is re-activated.\n\nManagement Response\n\nManagement concurs with the finding and recommendation. The access noted above was\naccidentally granted and BPD quickly removed the identified developer\xe2\x80\x99s access soon\nafter the issue was identified. At the same time the developer\xe2\x80\x99s access was removed,\nBPD also removed all disabled developers\xe2\x80\x99 accounts from the production web server to\neliminate the possibility of accidentally enabling the developers\xe2\x80\x99 accounts in the future.\nAs a result, if a developer has a need to access the production web server, the developer\nis required to follow established access procedures before access to the server is granted.\n\n\n\n\n                                           A-5\n\x0c"